CVE-2026-46545: nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item
(updated )
A remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes).
A malicious peer can respond to a RequestChunk with a ResponseChunk::Chunk whose first TrieItem.key is the empty (ROOT) key. The chunk passes sorting, range, and Merkle-proof validation, but when put_raw tries to store a value at the root node, it calls TrieNode::put_value(...).unwrap(), which returns Err(RootCantHaveValue) and panics, aborting the node process. The panic fires on the first malicious chunk the victim commits; no rate limit or authentication gate caps the attack.
Impacted: any node running state sync against untrusted peers — this includes fresh nodes performing initial download and existing nodes recovering from data loss. Honest nodes never construct ROOT-keyed items, so non-syncing operation is unaffected.
References
- github.com/advisories/GHSA-mw3q-r9wh-h2ff
- github.com/nimiq/core-rs-albatross/commit/0fb8766adea91e038af00e635a6eb92756e50172
- github.com/nimiq/core-rs-albatross/pull/3762
- github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0
- github.com/nimiq/core-rs-albatross/security/advisories/GHSA-mw3q-r9wh-h2ff
- nvd.nist.gov/vuln/detail/CVE-2026-46545
Code Behaviors & Features
Detect and mitigate CVE-2026-46545 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →